An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Monthly Archives: August 2012

On August 23, 2012, it was announced that President Benigno Aquino III of the Philippines signed the Data Privacy Act of 2012 into law, thus adding the Philippines to the growing ranks of countries with a comprehensive data privacy regime. The Act was passed by the Filipino legislature in March of 2012.

The Act contains many provisions that have become familiar in such comprehensive data privacy legislation.

The Act begins by declaring privacy to be a fundamental human right (Section 2).

The definition of personal information in the Act is fairly broad (“any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained”), and there is also a definition for sensitive personal information, which is deemed to include the standard repertoire of higher-level personal information (race, health, religion, political affiliation, etc.) (Section 3).

The scope of the Act is extra-jurisdictional in some important respects. The Act applies to any data controller or processor that is located in the Philippines, or that uses “equipment that are located in the Philippines.” This provision seems to be referring to data housing or cloud services that are maintained in the Philippines. Further, the Act specifically affirms its extra-jurisdictional scope by providing that any entity outside of the Philippines is subject to it when that entity has engaged in an act or practice that relates to the personal information of a citizen or resident of the Philippines. Importantly, the Act does not apply to personal information “originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines” (Section 4-6).

The Act sets up a National Privacy Commission. This independent body will have broad authority to administer the Act by, among other activities, handling complaints, providing guidance on the Act’s applicability, and recommending to the Filipino Department of Justice that it take action against persons who violate the act (Section 7).

A list of data processing principles is provided for by the Act. Similar to the processing principles of other data privacy regimes, such as the European Directive, the processing must be lawful, reasonable, for a specific purpose, and the information may be retained only so long as it is needed for such purpose. There are also rules about the prohibition of processing of sensitive personal information, along with a list of exemptions and caveats: where consent has been given, for medical reasons, for legal reasons, for public administration and other explicitly lawful purposes, and in the case of incapacity on the part of the data subject (Sections 11-15).

The data subject possesses a set of rights under the Act. The data subject has the right to know of the processing of his/her personal information, to know the purpose and scope of the processing, the recipients of his/her personal information, the time period for the retention of the personal information, and the contact information for the controller or processor, among other things. Further, the data subject, as in similar data privacy laws, has the right to inquire into the above questions and receive an answer within a reasonable time period. A general exemption exists under the Act with respect to personal information processed for “scientific or statistical” research (Sections 16-19).

The data controller or processor is required to maintain a security system that is “reasonable and appropriate,” and must notify the Commission and affected data subjects in the event of a security breach. The notification may only be delayed in order to fully understand the scope of the breach, prevent further disclosures, or restore integrity to the system; thus, for all intents and purposes, notification must take place as immediately as is practicable (Section 20).

The Act definitely has some significant teeth. Up to 6-year prison terms and hundred thousand dollar fines “shall” be imposed for breaking the provisions of the Act. The Act specifies that if the offender is a legal person, its officers may be liable for the offense (Sections 25-37).

An important impetus for the Act is to bolster the data security environment in the Philippines in order to encourage further growth in the BPO sector. The Philippines is already seen by leading firms to be a new hot spot in BPO services, as this article by the Oxford Business Group reports. Foreign firms that use Philippine-based BPO services will want to ensure they are on the same page with their service providers as regards the compliance with the Act.

As the APEC CBPR System moves forward, it will be interesting to observe the manner of Filipino participation. The Act does not provide very much detail on cross border data transfer, and the portions that do address this question, including Section 21, seem to provide a basis for interoperability between the Act and the principles of the CBPR System. So it is possible that there could be quite a bit of synergy between the two programs.

The Act gives the Commission 90 days to create Implementing Rules and Regulations (“IRR”). And covered entities will have one year from the creation of the IRR, or such time as the Commission determines, to come into compliance with the Act. It will be important to monitor the manner in which the Commission implements the Act. Specifically, close attention should be given to the IRR when they are released later this year.

Yesterday, the California legislature passed the Location Privacy Act of 2012 (SB-1434) (the "Act). The Act requires law enforcement to obtain search warrants before gathering GPS or other location-related data from a suspect’s cell phone that it may be transmitting. The Act is now waiting signature by Governor Jerry Brown; however, he vetoed similar legislation last year.

The Act was sponsored by Sen. Leno (D-San Francisco), and supported by the ACLU of California and the Electronic Frontier Foundation. The subject of warrantless GPS tracking continues to be a hot topic nationally. Last week, the Sixth Circuit ruled that law enforcement can track the GPS signal coming from a suspect’s prepaid cell phone without a warrant in United States v. Skinner, No. 09-6497 (6th Cir. Aug. 14, 2012) . In issuing the decision, the Court stated that "[t]here is no Fourth Amendment violation because Skinner did not have a reasonable expectation of privacy in the data given off by his voluntarily procured pay-as-you-go cell phone."

The California Senate also passed another privacy related bill earlier this week, which would prohibit colleges and universities from requiring access to students’ social media accounts. The bill also moves to the Governor’s desk for signature. A similar bill pending in the Assembly would provide similar protection to employees and job applicants as well.

On July 19, 2012, the U.S. Senate Judiciary Committee, Subcommittee on Privacy, Technology and the Law, held a hearing entitled “What Facial Recognition Technology Means for Privacy and Civil Liberties”. Individuals from academia, industry, and federal agencies examined the use of facial recognition technology and its potential impact on privacy and civil liberties.

Social media giant Facebook has been the impetus behind the facial recognition movement. In 2010, Facebook acquired the licensing to create unique “face prints” for its nearly 800 million users – without their knowledge or consent – in a program called “tag suggestions.” Outside of social media, companies are increasingly relying on facial recognition technology to gauge viewer response to video content, confirm user identities at ATMs, and identify consumer trends for brand loyalty and rewards programs.

In line with the privacy principles articulated in the Federal Trade Commission’s (FTC) March 2012 Privacy Report, panelists discussed the need for transparency in facial recognition technology use and opt-in requirements for these services. In particular, panelists disagreed on the extent to which conventional opt-in requirements should be applied in the facial recognition context. In his staunch opposition, FTC Commissioner J. Thomas Rosch testified that a rigorous cost-benefit analysis should be conducted before the FTC embraces an opt-in requirement and imposes “best practices” for facial recognition services on the grounds of potential misuse.

Despite Commissioner Rosch’s dissent, the FTC is said to release a report later this year setting forth recommended best practices and the extent to which “affirmative express consent” will be required for the collection and use of data made available through facial recognition technology.

Just ten months after it entered into a consent decree with the the FTC in a case charging that it violated its privacy promises when it launched Google Buzz, Google has agreed to pay $22.5 million to settle charges that it violated that agreement by making misrepresentations to Apple Safari users. In addition to the $22.5 million civil fine – the largest ever obtained by the FTC for a violation of one of its orders – the settlement agreement requires that Google disable all the tracking cookies it said it would not place on user’s computers.

According to the FTC complaint, Google told Apple Safari users that the browser’s default privacy options would protect them from being tracked by Google’s DoubleClick advertising network – stating that Safari’s default settings were effectively the same thing as opting out of DoubleClick tracking. Google then went ahead and placed advertising tracking cookies on Safari user’s computers anyway – in many cases by utilizing an exploit to circumvent the privacy protections built into Safari. These misrepresentations, the FTC charged, violated the earlier consent decree that barred Google from misrepresenting the extent to which consumers can control collection of their information.

This case is just the latest in which the FTC brings its enforcement power to bear in ensuring companies respect their own privacy policies and representations. As FTC Chairman Jon Leibowitz states in the FTC press release, “all companies must . . . keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”

In an interesting twist, though, Google was allowed a fairly strongly worded denial of liability in the consent decree. Paragraph 2 of the decree states that Google "denies any violation of the FTC Order, any and all liability for the claims set forth in the Complaint, and all material allegations of the Complaint save for those
regarding jurisdiction and venue." This language, rather than the more common "neither admit nor deny" formula, caused Commissioner J. Thomas Rosch to issue a fairly strongly worded dissent. Pointing out that the FTC had essentially charged Google with contempt and that it was Google’s "second bite at the [deceptive conduct] apple", Commissioner Rosch found the Commission’s acceptance of Google’s denial of liability "inexplicable."

Many drivers know the futility of trying to fight a parking ticket, but one Illinois driver came up with an attack against his that has ended up with the Seventh Circuit Court of Appeals, sitting en banc, backing him up in an opinion released this past Monday. At 1:35 a.m. on August 20, 2010, a Palatine, Illinois, police officer ticketed Jason Senne’s illegally parked car and placed the ticket on the car windshield. Mr. Senne retrieved the ticket about five hours later and, not willing to pay the $20 fine and move on, fought back by filing suit against Palatine for violation of the Driver’s Privacy Protection Act, 18 U.S.C.§§2721-25(“DPPA”).

DPPA, which was enacted after a stalker obtained the home address of actress Rebecca Schaeffer from the California DMV and then used the information to find and kill her, places strict limits on how and why personal information contained in state DMV records can be released. It restricts not only disclosure by DMV employees, but also disclosure by those who lawfully obtain information from the DMV (in the Schaeffer matter, the stalker had hired a private investigator to obtain the information).

It turns out that in Palatine, when a police officer writes a parking ticket, information about the car’s owner is downloaded from the DMV and then printed on the parking ticket itself. This information includes the owner’s full name, address, driver’s license number, date of birth, sex, height, and weight. The parking ticket is then placed on the windshield of the car. Mr. Senne contended that placing the ticket on the windshield, in public view, constituted a disclosure of that private information in violation of DPPA and filed suit in Federal District Court. Palatine moved to dismiss the suit for failure to state a claim. It contended that the parking ticket was not a disclosure and that, even if it was, it was permitted under a specific exception in DPPA. The District Court agreed with Palatine and dismissed the case, a decision that was affirmed on appeal. The Seventh Circuit Court then agreed to rehear the case en banc and, in a decision issued this past Monday, reversed the District Court.

Palatine argued that placing the ticket on the windshield did not constitute a disclosure because Mr. Senne had failed to allege that anyone other than himself had actually seen it. The Court, in rejecting Palatine’s argument, stated that the effect of placing the ticket on the windshield made the information available to any passer-by. The Court ruled that whether or not anyone else saw it is irrelevant, the act of placing it on the windshield is itself a publication that is prohibited by DPPA. The Court’s opinion is available here.